Cryptographic Certificate

Introduction

Inventorying cryptographic assets is a foundational best practice for post-quantum cryptography (PQC) readiness, as emphasized by NIST SP 1800-38B. CycloneDX Cryptography Bill of Materials (CBOM) provides a structured way to document algorithms, keys, and protocols, helping organizations assess risks, ensure compliance, and prepare for the transition to quantum-safe systems.

Certificates validate identities and secure communications, but outdated or improperly managed certificates are common attack vectors. CBOM provides a clear inventory of certificates, including expiration dates and cryptographic details, enabling proactive renewal processes and adherence to best practices like those outlined in NIST SP 800-57.

Highlighted fields

PropertyUsage Description
assetTypeSpecifies the category of the cryptographic asset, such as algorithm, certificate, protocol, or related-crypto-material.
subjectNameDenotes the distinguished name of the entity to which the certificate is issued, typically including attributes like Common Name (CN), Organization (O), and Country (C).
issuerNameIndicates the distinguished name of the certificate authority that issued the certificate, detailing the certifying entity's identity.
signatureAlgorithmRefReferences the identifier of the algorithm used to sign the certificate, ensuring the integrity and authenticity of the certificate's contents.
subjectPublicKeyRefReferences the public key associated with the certificate's subject, used in cryptographic operations like encryption and signature verification.
certificateFormatSpecifies the encoding format of the certificate, such as PEM or DER, indicating how the certificate's data is structured and represented.
This example captures a certificate and its associated cryptographic details, including the issuer, validity period, and public key. It also provides information on related cryptographic primitives, algorithms, and keys used to secure and validate the certificate.

Examples

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:e8c355aa-2142-4084-a8c7-6d42c8610ba2",
  "version": 1,
  "metadata": {
    "timestamp": "2024-01-09T12:00:00Z",
    "component": {
      "type": "application",
      "name": "my application",
      "version": "1.0"
    }
  },
  "components": [
    {
      "name": "google.com",
      "type": "cryptographic-asset",
      "bom-ref": "crypto/certificate/google.com@sha256:1e15e0fbd3ce95bde5945633ae96add551341b11e5bae7bba12e98ad84a5beb4",
      "cryptoProperties": {
        "assetType": "certificate",
        "certificateProperties": {
          "subjectName": "CN = www.google.com",
          "issuerName": "C = US, O = Google Trust Services LLC, CN = GTS CA 1C3",
          "notValidBefore": "2016-11-21T08:00:00Z",
          "notValidAfter": "2017-11-22T07:59:59Z",
          "signatureAlgorithmRef": "crypto/algorithm/[email protected]",
          "subjectPublicKeyRef": "crypto/key/[email protected]",
          "certificateFormat": "X.509",
          "certificateExtension": "crt"
        }
      }
    },
    {
      "name": "SHA512withRSA",
      "type": "cryptographic-asset",
      "bom-ref": "crypto/algorithm/[email protected]",
      "cryptoProperties": {
        "assetType": "algorithm",
        "algorithmProperties": {
          "parameterSetIdentifier": "512",
          "executionEnvironment": "software-plain-ram",
          "implementationPlatform": "x86_64",
          "certificationLevel": [ "none" ],
          "cryptoFunctions": [ "digest" ],
          "nistQuantumSecurityLevel": 0
        },
        "oid": "1.2.840.113549.1.1.13"
      }
    },
    {
      "name": "RSA-2048",
      "type": "cryptographic-asset",
      "bom-ref": "crypto/key/[email protected]",
      "cryptoProperties": {
        "assetType": "related-crypto-material",
        "relatedCryptoMaterialProperties": {
          "type": "public-key",
          "id": "2e9ef09e-dfac-4526-96b4-d02f31af1b22",
          "state": "active",
          "size": 2048,
          "algorithmRef": "crypto/algorithm/[email protected]",
          "securedBy": {
            "mechanism": "None"
          },
          "creationDate": "2016-11-21T08:00:00Z",
          "activationDate": "2016-11-21T08:20:00Z"
        },
        "oid": "1.2.840.113549.1.1.1"
      }
    },
    {
      "name": "RSA-2048",
      "type": "cryptographic-asset",
      "bom-ref": "crypto/algorithm/[email protected]",
      "cryptoProperties": {
        "assetType": "algorithm",
        "algorithmProperties": {
          "parameterSetIdentifier": "2048",
          "executionEnvironment": "software-plain-ram",
          "implementationPlatform": "x86_64",
          "certificationLevel": [ "none" ],
          "cryptoFunctions": [ "encapsulate", "decapsulate" ]
        },
        "oid": "1.2.840.113549.1.1.1"
      }
    }
  ]
}

Related Guides and Resources